Geek asks and answers

How to prevent mysql sleep injection?

Recently, a hacker tried to slow down a site using a sleep injection. Although we use precautions such as mysql_real_escape_string () to cover most of the vulnerable inputs. we pass the product id through querystring and it makes the command like

$id = mysql_real_escape_string($_REQUEST['id']);
$qry = "Select * from products where id = ".$id;

but the hacker tried to specify the input as

?id=3 and sleep(4)

and the request will be

Select * from products where id = 3 and sleep(4);

Although there are some possible solutions, such as 1) Check if the product identifier is numeric or not. 2) Remove the word sleep from the input using some custom function

Is there any other way to stop this? or you guys please help me which is the best method to prevent sleep injections.

+5
source share
4

. mysql_real_escape_string SQL, , SQL. :

$qry = "SELECT * FROM products WHERE id = '$id'";

.

, :

$id = (int)$_GET['id'];
+20

SQL - . MySQL mysql_ PHP .

MySQLi PDO.

. SQL . SQL.

:

  • MySQLi:

    $stmt = $dbConnection->prepare('SELECT * FROM table WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

  • PDO:

    $stmt = $pdo->prepare('SELECT * FROM table WHERE name = :name');
$stmt->execute(array(':name' => $name));
foreach ($stmt as $row) {
    // do something with $row
}

, , SQL, prepare, . ( ?, , :name), , . , execute, , .

, , SQL. SQL- script, , SQL . , SQL , -, . , , ( , , , ).

+9

.

How to prevent mysql injections? ” It should be. Sleep or not sleep - it does not matter.

And there are many answers on this.

+2
source

You must convert your queries to "prepared statements" using PDO or mysqli.

0
source

More articles:


All Articles